We somewhat regularly have endpoints that have a certificate, but are not on the standard SSL/TLS port of 443. Currently there is no way to monitor the certificate for those.
Related: supporting STARTTLS for IMAP/SMTP, not just tls-on-connect